Weekly interest and loan rates | Northwest stock contest 2003 Tax tips | Consumer affairs | Home values

Going by the rules with software flaws

By Joseph Menn
Los Angeles Times

E-mail this article Print this article Search archive

As the cost of securing data against malicious attacks continues to escalate, big technology companies and security researchers are stepping up efforts to control the spread of information about software holes that make computers vulnerable to hackers.

Yet they fear they are not moving fast enough to avert a wave of lawsuits and legislation that could impose strict rules on corporate-software buyers, criminalize the work of some security researchers or hold companies like Microsoft liable for attacks on their customers.

"It's not a matter of if but when there will be new regulation," said Vincent Weafer, senior director of incident response at Symantec in Cupertino, Calif., which makes anti-virus and other security software.

Data security, which wasn't very good to begin with, has been getting worse as software is designed to do more things and connect more people. Hackers and other researchers have been finding flaws with increasing frequency, and saboteurs are exploiting those flaws by designing viruses, worms and other programs at ever-faster rates.

That's why most security researchers agree not to publicize the holes they find until target software makers come up with patches and distribute them to customers.

Now some of the biggest names in technology are trying to formalize the process by crafting guidelines to govern when security holes are disclosed and the corresponding patches are released. Working with the Organization for Internet Security, Microsoft, Symantec, Oracle and other companies are hammering out rules they hope will pressure bug finders not to publicize their findings until it is deemed safe for them to do so.

"We think it will improve the situation," said Scott Culp, senior security strategist for Microsoft.

The guidelines, which don't have the force of law, lay out nearly 100 steps for what a person should and shouldn't do after finding a hole. They also govern the appropriate responses for the company that wrote the faulty software.

At first, the plan says, a hacker should notify the software maker and refrain from publicizing the vulnerability. The software company, in return, is supposed to keep the hacker informed as it develops a patch, a process that should take about a month.

Then another month is supposed to elapse before the hacker may broadcast details about the problem he or she found.

If no software patch can be developed, according to the Organization for Internet Security, those details should never be released.

So far, the guidelines have won over few hackers who work for small companies or on their own.

Dave Aitel, a respected hacker and veteran of the National Security Agency, thinks the rules are stupid. Aitel and others complain that companies will falsely claim they can't construct a patch, leaving hackers no opportunity to publicize the flaws they find.

"The only people who will benefit are the vendors, the criminals," and malicious hackers, Eric Raymond, a leading technical author, wrote to the Internet security group.

If a patch does come out, experts fear, talented virus writers will study it and work backward to find the underlying problem. Then they'll write a malicious program to exploit it, as they did with the Blaster worm this summer.

Meanwhile, many systems administrators will be reluctant to install the patch for the month before they know the underlying problem, since many patches turn out to have bugs themselves.

"The net result is that attackers will have a head start," said Byrne Ghavalas, a researcher with Network Security Consulting Services in Reading, England.

Still, tech companies feel they have to do something. They fear Congress will pass laws holding them responsible when hackers breach the software they create, an approach being advocated by the National Academy of Sciences.

Rep. Adam Putnam , R-Fla., chairman of a House subcommittee on information technology, recently warned that the next time a major Internet virus strikes, Congress will be under extreme pressure to do something dramatic.

In the meantime, lawsuits and threats of legal action are piling up. A Los Angeles woman is seeking class-action status for her suit against Microsoft, arguing that it ran afoul of a new California law requiring companies to let customers know when hackers gain access to personal information.

More commonly, software companies are threatening to sue hackers who expose holes in their products. Hewlett-Packard, SunnComm and GameSpy all have issued threats under the Digital Millennium Copyright Act, a 5-year-old law that prohibits distribution of some software code based on reverse-engineering.

HP and SunnComm withdrew their threats after an outcry from security experts; GameSpy succeeded this month in forcing an Italian researcher to delete references to GameSpy bugs from his Web site.

"This is a battlefield," said Jennifer Granick, a cyber law specialist at Stanford University's Center for Internet and Society.

Copyright © 2003 The Seattle Times Company